Lessons from Grangemouth

Chris Dyer reviews the results of an investigation into the potentially catastrophic incidents that occurred at the BP Grangemouth complex in 2000.

In January 2002, BP was fined £1 million following two incidents at its Grangemouth complex in June 2000 (Prosecutions: BP fined £1 million for "gross dereliction"). The Scottish sheriff who imposed the penalty, Albert Sheehan, said: "Clearly there has been what can only be described as a gross dereliction of the duties incumbent on the accused [BP] and there was considerable potential danger to plant operators and members of the public."

Commenting on the outcome of the trial, HSE principal inspector Alistair McNab, who led the HSE's investigation, said: "I expect a world-leading company to have world-leading safety, health and environmental performance. In this case, only good fortune avoided fatalities and serious injuries." He added that there were lessons that other companies and their directors should learn.

The BP Grangemouth complex is a "top-tier" site under the Control of Major Accident Hazard Regulations 1999 (COMAH), which govern nearly 1,100 sites in the UK (see box below). Legislation required that the incidents be investigated, but the results could not be published until legal proceedings were completed. The HSE has now published its major incident investigation report into the events, which is the result of a joint investigation (led by the HSE) with the Scottish Environment Protection Agency.1 (The COMAH Regulations are enforced by a competent authority [CA] consisting of:

  • in England and Wales - the HSE and the Environment Agency; and

  • in Scotland - the HSE and the Scottish Environment Protection Agency.)

    The report describes the causes of the incidents in May and June 2000 - a power distribution failure that caused refinery shutdown, failure of a steam main resulting in minor injury to a member of the public and a serious fire at a process unit.

    Electrical failure

    On the evening of 29 May 2000, all electrical power was lost to several substations that supply the north side of the Grangemouth complex containing the oil refinery and chemical and utility plants. An emergency shutdown of the refinery and the chemical plants took place. The utility plants were affected by the loss of power to the main cooling water pumping systems; other areas of the complex had to be shut down because the loss of the steam supply meant that the flare system could not be maintained. No one was injured.

    The loss of electrical power was caused by damage to a 33kV underground cable during the excavation of a trench to install a new cable adjacent to existing ones. Water was able to penetrate the damaged cable sheathing, allowing the current to run to earth. The local circuit-breaker, which should have isolated the relevant part of the distribution system, did not operate because it had been disabled. Two other circuit-breakers in the system then tripped to clear the fault, resulting in the loss of power to large parts of the complex.

    Before the excavation started, operatives from the excavation contractor were given a "toolbox talk" that identified the correct tools and the way they were to be used in the excavation work. Operatives were allowed to break the ground surface to a depth of 300mm using a compressed-air power tool known as a clayspade, which was not to be used below this depth to avoid damage to existing cables. Nevertheless, evidence indicates that the earth fault resulted from the cable being damaged with a clayspade. Supervision during the excavation work was limited: the supervisors from the excavation contractor and BP Construction did not provide continuous on-site supervision.

    Once water had penetrated the cable, the fault should have been detected by the 33kV circuit-breaker in the local electricity substation. Had this happened, power supply to the oil refinery area would have been maintained. The CA investigation found no evidence that the relay was disabled for malicious intent or in conjunction with the failure of the 33kV cable. It is possible that it occurred during performance testing in the 1980s, although the CA concludes that it is difficult to envisage how plastic inserts disabling the circuit-breaker would not have been noticed during subsequent testing.

    The CA suggests that there were major weaknesses in the safety management systems, particularly in organising (communication, control and competency), in planning and implementing and in monitoring.

    Specific examples include:

  • no written evidence of a specific risk assessment of the choice of cable route and the installation of a new electrical supply cable on existing high-voltage cables;

  • lack of organisational resource meant that power distribution personnel were not involved in planning and executing of the project, although it had the potential to affect the power distribution system for the complex;

  • although the contractors assessed the risk to operatives working in close proximity to high-voltage cables, there was a failure to implement acceptable control measures, including adequate supervision and method of work; and

  • BP failed adequately to resource the maintenance of relays by manual testing every two years and failed to have adequate written procedures for testing.

    The CA concludes that these failures and their underlying causes demonstrated a failure in BP's control of contractors and in the management of change in this incident.

    A previous power failure incident occurred in July 1999. This resulted in a loss of steam, plant shutdowns and significant flaring. On this occasion, the plant emergency shutdown systems and the uninterruptible power supply on the whole operated effectively, preventing any further consequences.

    Steam main rupture

    In the late evening of 7 June 2000, an 18-inch medium pressure (MP) steam main adjacent to a main road burst. The steam leak damaged fencing next to it, and debris and steam were blown across the road until the leak was isolated. A member of the public walking a dog 300m away tripped over the dog and sustained rib injuries. The steam supply was disrupted until the leak was isolated and repaired.

    The power distribution failure on 29 May resulted in water drainage pumps being unavailable. This caused flooding of service tunnels carrying MP steam distribution lines. During investigations to see if the flooding had caused damage to pipework, a steam trap, which allows condensed hot water to escape from the system, was closed to allow safe inspection. This trap was not subsequently reopened and the rising levels of hot water trapped a bubble of steam in the pipework. This bubble eventually collapsed causing a phenomenon known as "condensation-induced water hammer". This led to gross overpressure in the pipework and its catastrophic failure.

    The CA concludes that the safety management system governing operation of the MP steam line had major weaknesses in organising (particularly communication, control, competence and coordination), in planning and implementing and in monitoring and review. Underlying problems involved:

  • the management of change (change control procedures);

  • the failure adequately to investigate significant plant upsets and carry out risk assessments;

  • the operating regimes and lack of certain site standards;

  • the inspection and maintenance of equipment;

  • the management structure and organisation; and

  • the failures to learn lessons from previous incidents/events on-site.

    In the week prior to the failure, downstream pipework had suffered significant water hammer and condensate was ejected from a pressure relief valve. Action was taken to isolate that particular section of pipework from the network, but the investigation into the upset was incomplete and inadequate. Another section of the same MP steam line failed in January 1975 due to severe water hammer. Many of the recommendations made following this incident were relevant to the June 2000 incident, but appeared not to have been followed.

    Cat Cracker fire

    The Fluidised Catalytic Cracker Unit (FCCU) within the oil refinery had been shut down on 29 May 2000 as a result of the power distribution failure. FCCUs are standard installations used throughout the world on oil refineries for converting the heaviest components of crude oil into useful products, such as motor fuels. There is also a worldwide history of operational incidents involving FCCUs, including at the Grangemouth complex, and information is widely publicised and readily available.

    In the early hours of 10 June 2000, during start-up procedures commenced the day before, there was a significant leak of hydrocarbons from the FCCU. These created a vapour cloud that ignited, causing a serious fire. On- and off-site emergency services brought the fire under control in 90 minutes and extinguished it by mid-morning.

    During the fire, some asbestos cladding on pipework and vessels was damaged and hydrocarbons in contaminated firewater were discharged directly into the River Forth. No one was injured; workers followed the emergency response procedures, but there was potential for injury to people and greater damage to equipment.

    Investigations found that the leak that led to the fire was caused by the failure of a T-piece connection in pipework. This had been installed in the 1950s and, although the correct type of T-piece had been specified, this was not the type fitted. No subsequent changes were made to plant layout drawings to identify this change.

    Later modifications to the pipework had left the T-piece and other pipework inadequately supported. Further modifications to the FCCU in 1996 and 1998 had resulted in it being increasingly difficult to operate reliably and, although designed to run continuously, it was subject to an increased number of startup and shutdown cycles.

    Failure of the T-piece was probably caused by a combination of the wrong T-piece connection, inadequate support for the pipework and cyclic stresses and vibration caused by the more frequent starting and stopping of the unit. Eventually this led to fatigue failure of the pipework.

    The four or five workers in the immediate vicinity only escaped fatal or serious injury because of a combination of the way in which the fire started and progressed, their positioning at the time of the incident and their presence of mind in moving to safe positions. Weather conditions assisted, and the vapour did not accumulate in and around the buildings or in the plant. Under different circumstances, this could have led to a vapour cloud explosion, which would have increased the likelihood of fatal injuries and escalation of the incident.

    The CA concludes that there were major weaknesses in failing to organise to meet the high standards required by COMAH and in planning and implementing and in monitoring, audit and review. Underlying problems were identified in:

  • the organisational structure - the HSE accepts that these were historic and had been identified by BP, which was taking steps to address the issue when the incidents occurred;

  • the operational review system;

  • the maintenance of integrity of pipework to avoid loss-of-containment scenarios;

  • the risk assessment procedures; and

  • the consideration of human factors issues.

    The FCCU safety report for 1997/98 concludes that: "Hardware and software controls in place on the FCCU are adequate to prevent the occurrence of a major accident that could affect the general public, the personnel working on-site or the environment around it." The findings of the investigation show that this conclusion was partly unjustified even in 1997 when it was submitted, and certainly did not reflect the reality by 10 June 2000, when the cumulative effects of unreliability, numerous plant startups, vibration and unsupported pipework factors came together.

    The safety report was not proactively used as a management standard for reviewing continued safe operation, nor used as an audit tool to verify the claims made for safe operation. There were serious deficiencies in the COMAH compliance regime and the safety report did not reflect the reality of the plant operations and maintenance. Additionally, a number of incidents involving vibration had occurred during the previous two years.

    Common themes

    The investigations also identified common themes relating to the health, safety and environmental management system at Grangemouth. These were:

  • BP group policies set high expectations that were not consistently achieved for organisational and cultural reasons;

  • BP group and complex management did not detect and intervene early enough on deteriorating performance; and

  • BP failed to achieve the operational control and maintenance of process and systems required by law.

    Immediately after the incidents, BP formed a taskforce to review all of its operations and organisation at Grangemouth and to come up with recommendations for achieving high standards of safety and environmental performance. This group comprised 30 experts from within BP and from external bodies. BP accepted all the recommendations, and the CA report concludes that the taskforce's findings and recommendations properly address the way forward to ensure safe and reliable operations at the Grangemouth complex.

    The HSE's Alistair McNab said: "BP has cooperated fully throughout the investigation and has given its commitment to the lessons and messages in the report. Since these incidents, there has been a sustained improvement of safety performance across the Grangemouth complex.

    "I am also pleased to say that the UK Petroleum Industry Association, the Chemical Industries Association and the Chemical and Downstream Oil Industry Forum [a tripartite HSE/industry/trades union advisory body] will be encouraging use of the lessons learned from the report as an agent for change in the industry."

    Wider messages

    Although the report is predominantly about the incidents at the BP Grangemouth complex in 2000, its publication must be seen against the government's Revitalising health and safety strategy (Employers face major health and safety at work shake-up). One of the strategy's aims is to "prevent major incidents with catastrophic consequences occurring in high-hazard industries", and the HSE is taking this opportunity to remind industry of its responsibilities.

    Major hazard industries should ensure that the knowledge available from previous incidents - within their own organisations and externally - is incorporated into current safety management systems (see box below). The CA is reinforcing this message because incident investigations often identify and report causes, but no action results. Some major accidents could have been prevented with the correct focus.

    It also considers that industries should know of previous major accident histories within their own company and sector. The conclusions and recommendations from published accident investigation reports are designed to ensure that this information is available to a wider audience. If lessons are to be learned, companies need to monitor and implement actions from these reports.

    Many companies need to improve their corporate memory so that the knowledge gained from previous incidents is available and heeded by those involved today. Each generation of employees should not have to learn by repeating the mistakes of the past.

    Operators should give increased focus to major accident prevention to ensure the control of serious business risk and effective corporate governance. Failure to comply with COMAH, and the associated major accident potential for a site, should be considered a significant business risk that needs to be addressed as part of effective corporate governance. This was discussed in the Turnbull report2. Major accidents are intolerable to the public, politicians and the regulators, while lost production, clean-up, fines and damaged reputation can cost companies dearly. Turnbull states that directors should, at least annually, review systems of control including risk management, and financial, operational and compliance controls that are fundamental to the company's business objectives.

    The HSE's guidance for directors advises that they should be fully aware of their corporate responsibilities for the control of major accident hazards (Directors take safety on board). Failure by a corporate body and the directors of a company to adequately manage health and safety can lead to prosecution of the company and the individual directors responsible.

    The COMAH safety regime is a "living process" and should be used as a management tool to assist in process safety management. Regular inspection of plant, equipment and safety management systems, and regular auditing, are essential in the control and prevention of major accidents. Inspection and auditing must be rigorous and target process safety aspects; the CA will require evidence that these processes are being rigorously applied during the inspection regime under the COMAH Regulations. Inspection and auditing programmes should verify that the descriptions of equipment and management systems contained within the safety reports for major hazard sites are still valid.

    The importance of safety cases, which are analagous to safety reports in the COMAH regime, was highlighted in the Cullen report on the Ladbroke Grove rail crash: "While it is clear that the safety case can become over-bureaucratic, it has the potential to be a valuable tool by, for example, bringing about a systematic approach to safety and providing a record of management's commitment to safety. The evidence showed that it [the safety case] can be a 'living document', part of the direct management of safety."

    The CA says that companies should use safety reports as a "benchmark" against which to monitor and audit compliance and to ensure that safety standards are being maintained. It also considers that human factors is a relevant COMAH issue that requires consideration in process safety management and in COMAH safety reports. The CA advises that inadequate consideration of human factors is a main cause of the rejection of COMAH safety reports.

    1"Major incident investigation report: BP Grangemouth Scotland: 29 May - 10 June 2000. A public report prepared by the HSE on behalf of the Competent Authority", www.hse.gov.uk/comah/bpgrange/index.htm, free.

    2"Internal control: guidance for directors on the Combined Code", Institute of Chartered Accountants for England and Wales, www.icaew.co.uk/internalcontrol, free.


    THE COMAH REGIME

    The Control of Major Accident Hazard (COMAH) Regulations came into force on 1 April 1999. Their main aim is to prevent and mitigate the effects of major accidents involving dangerous substances that can cause serious damage or harm to people and the environment. Substances covered by COMAH include chlorine, liquefied petroleum gas and explosives. The COMAH Regulations treat risks to the environment as seriously as those to people.

    The Competent Authority (CA) has a duty to inspect activities subject to COMAH and prohibit the operation of an establishment if there is evidence that measures taken for prevention and mitigation of major accidents are seriously deficient. It must also examine safety reports and inform operators about the conclusions of its examinations.

    COMAH mainly affects the chemical industry - although some storage activities, explosives and nuclear sites and other industries are covered - where threshold quantities of dangerous substances identified in the Regulations are kept or used. Operators of sites that hold large quantities of dangerous substances ("top-tier" sites) are subject to more onerous requirements than those of "lower-tier" sites.

    The Regulations impose a general duty on all operators to take all measures necessary to prevent major accidents and limit their consequences to people and the environment. The requirement to prevent and mitigate recognises that all risks cannot be completely eliminated, and proportionality is an important element in the enforcement policy of the CAs. The phrase "all measures necessary" is interpreted to include this principle and judgments are made about the measures in place. Where hazards are high, high standards are required to ensure that risks are acceptably low.

    Prevention is based on the principle of reducing risk to a level as low as is reasonably practicable (ALARP) for human risks, and using the best available technique not entailing excessive cost (BATNEEC) for environmental risks. The ideal is always, wherever possible, to avoid a hazard altogether.

    Major accident prevention policy

    Lower-tier operators must prepare a document setting out a major accident prevention policy (MAPP). The MAPP is usually short and simple, setting down what is to be achieved, but it should also refer to the safety management system that is used to put the policy into action. The detail will be contained in other documentation relating to the establishment, such as plant operating procedures, training records, job descriptions and audit reports, to which the MAPP can refer.

    The MAPP also has to address issues relating to the safety management system. The most important areas are:

  • organisation and personnel;

  • identification and evaluation of major hazards;

  • operational control;

  • planning for emergencies; and

  • monitoring, audit and review.

    Top-tier operators

    Top-tier operators have to comply with the above except that they do not have to prepare a separate MAPP document. Instead, they must prepare safety reports that include the information that lower-tier operators provide in their MAPPs.

    The safety report demonstrates to the CA that all measures necessary for the prevention and mitigation of major accidents have been taken. It must include:

  • a policy on how to prevent and mitigate major accidents;

  • a management system for implementing that policy;

  • an effective method for identifying any major accidents that might occur;

  • measures (such as safe plant and safe operating procedures) to prevent and mitigate major accidents;

  • information on the safety precautions built into the plant and equipment when it was designed and constructed;

  • details of measures (such as firefighting, relief systems and filters) to limit the consequences of a major accident; and

  • information about the emergency plan for the site, which is also used by the local authority in drawing up an off-site emergency plan.

    The safety report must be updated if there are any modifications to the plant or the way it is operated, or if new facts or information become available. It must be reviewed after five years even if there have been no changes.

    Top-tier operators must also:

  • prepare and test an on-site emergency plan;

  • supply information to local authorities for off-site emergency planning purposes; and

  • provide information to the public about their activities.

    		•

     


    LESSONS FOR MAJOR ACCIDENT HAZARD SITES

    The Competent Authority (CA) and BP conclude that there are three important lessons to be learned from the incidents at Grangemouth. The CA believes that if these lessons are learned the major accident hazard industry and individual companies would, as a result, be able to reduce major accidents in line with the HSE's Revitalising strategy.

    1. Major accident hazards should be actively managed to allow control and reduction of risks.

    Control of major accident hazards requires a specific focus on process safety management over and above conventional safety management. BP has re-evaluated its major accident hazards and improved the management and control of these hazards to reduce the risk involved. It has also recognised the importance of integrating the principles of process safety management into the operation of major hazard sites such as Grangemouth and has augmented existing process safety management systems with a group-wide standard on process safety and integrity management.

    The CA encourages others in the major accident hazard industry to adopt these approaches so as to reduce accidents. It advises that specific consideration is given to adopting robust "management of change" procedures, with all changes - including organisational changes - being fully evaluated before implementation so that all potential hazards associated with the change are identified.

    2. Companies should focus on preventing a loss of containment.

    The integrity of all systems on a major hazard site is essential if leaks and spillages that could result in a major accident are to be avoided. Avoiding a loss of containment is important not only for pressure vessels and other large items of plant and equipment but also for the pipework systems that are often not subjected to the same rigorous levels of inspection and maintenance. Reducing the number of flanges, removing dead-legs, reducing vibration and correctly securing and supporting pipework systems can reduce the chances of a loss of containment that could lead to a major accident.

    Onshore major hazard industries should be aware of the success of initiatives in the offshore industry to reduce loss-of-containment events. Failure mechanisms for pipework are already well established and should be well known, and the prevention of such failures should be manageable.

    3. Companies should develop key performance indicators (KPIs) for major hazards and ensure that process safety performance is monitored and reported against these parameters.

    BP has developed a series of KPIs that complement traditional safety and highlight the important areas in the control of major accident hazards. The CA encourages others in the major accident hazard industry to adopt these approaches. Conventional indicators of safety performance, such as "days away from work" (which are high-frequency/low-consequence events) do not measure process safety relevant to the control of major accidents (which are low-frequency/high-consequence events) and can give a false impression of process safety performance. Companies should benchmark their performance in relation to the control of major accident hazards against industry standards. Companies should be monitoring and taking account of industry trends in relation to improvements in safety technology and safety management systems.

    Disruption to utility supply systems (steam, electricity etc) on a major hazard site can cause significant problems and have the potential to result in a major accident.

    BP has recognised the issues raised by the power distribution failure and the steam main rupture and has re-evaluated its approach to the control of utility supply systems on-site. The CA considers that recent power loss incidents (including that at BP) highlight the potential of such incidents to produce significant safety risks. The vulnerability, reliability and impact of failures of utility systems on major hazards are relevant to the preparation of a COMAH safety report, and the CA will require evidence that these issues have been addressed.